AWS Security ChangesHomeSearch

AWS AmazonS3 documentation change

Service: AmazonS3 · 2025-03-10 · Documentation low

File: AmazonS3/latest/userguide/setting-repl-config-perm-overview.md

Summary

Added new section with detailed IAM permissions required for creating replication rules

Security assessment

The change adds documentation about required security permissions for replication setup, but does not indicate resolution of a specific security issue.

Diff

diff --git a/AmazonS3/latest/userguide/setting-repl-config-perm-overview.md
index 10dacfb76..c22378ae7 100644
--- a/AmazonS3/latest/userguide/setting-repl-config-perm-overview.md
+++ b/AmazonS3/latest/userguide/setting-repl-config-perm-overview.md
@@ -5 +5 @@
-Creating an IAM roleGranting permissions when the source and destination buckets are owned by different AWS accountsChanging replica ownershipGranting permissions for S3 Batch Operations
+Setting up permissions to create replication rulesCreating an IAM roleGranting permissions when the source and destination buckets are owned by different AWS accountsChanging replica ownershipGranting permissions for S3 Batch Operations
@@ -19,0 +20,2 @@ When setting up live replication in Amazon S3, you must acquire the necessary pe
+  * Setting up permissions to create replication rules
+
@@ -30,0 +33,106 @@ When setting up live replication in Amazon S3, you must acquire the necessary pe
+## Setting up permissions to create replication rules
+
+The IAM user or role that you will use to create replication rules needs permissions to create replication rules for one- or two-way replications. If the user or role doesn't have these permissions, you won't be able to create replication rules. For more information, see [IAM Identities](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html) in the _IAM User Guide_.
+
+The user or role needs the following actions:
+
+  * `iam:AttachRolePolicy`
+
+  * `iam:CreatePolicy`
+
+  * `iam:CreateServiceLinkedRole`
+
+  * `iam:PassRole`
+
+  * `iam:PutRolePolicy`
+
+  * `s3:GetBucketVersioning`
+
+  * `s3:GetObjectVersionAcl`
+
+  * `s3:GetObjectVersionForReplication`
+
+  * `s3:GetReplicationConfiguration`
+
+  * `s3:PutReplicationConfiguration`
+
+
+
+
+Following is a sample IAM policy that includes these actions.
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "s3:GetAccessPoint",
+                    "s3:GetAccountPublicAccessBlock",
+                    "s3:GetBucketAcl",
+                    "s3:GetBucketLocation",
+                    "s3:GetBucketPolicyStatus",
+                    "s3:GetBucketPublicAccessBlock",
+                    "s3:ListAccessPoints",
+                    "s3:ListAllMyBuckets",
+                    "s3:PutReplicationConfiguration",
+                    "s3:GetReplicationConfiguration",
+                    "s3:GetBucketVersioning",
+                    "s3:GetObjectVersionForReplication",
+                    "s3:GetObjectVersionAcl",
+                    "s3:GetObject",
+                    "s3:ListBucket",
+                    "s3:GetObjectVersion",
+                    "s3:GetBucketOwnershipControls",
+                    "s3:PutBucketOwnershipControls",
+                    "s3:GetObjectLegalHold",
+                    "s3:GetObjectRetention",
+                    "s3:GetBucketObjectLockConfiguration"
+                ],
+                "Resource": [
+                    "arn:aws:s3:::amzn-s3-demo-bucket1-*",
+                    "arn:aws:s3:::amzn-s3-demo-bucket2-*/*"
+                ]
+            },
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "s3:List*AccessPoint*",
+                    "s3:GetMultiRegion*"
+                ],
+                "Resource": "*"
+            },
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "iam:Get*",
+                    "iam:CreateServiceLinkedRole",
+                    "iam:CreateRole",
+                    "iam:PassRole"
+                ],
+                "Resource": "arn:aws:iam::*:role/service-role/s3*"
+            },
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "iam:List*"
+                ],
+                "Resource": "*"
+            },
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "iam:AttachRolePolicy",
+                    "iam:PutRolePolicy",
+                    "iam:CreatePolicy"
+                  ],
+                "Resource": [
+                    "arn:aws:iam::*:policy/service-role/s3*",
+                    "arn:aws:iam::*:role/service-role/s3*"
+                ]
+            }
+        ]
+    }            
+            
+